[Date Prev][Date Next]
Re: Sync Replication via TLS/SSL - get bind err
On Friday 21 December 2007 00:31:12 RUMI Szabolcs wrote:
> On Thu, 20 Dec 2007 12:08:16 -0800
> Quanah Gibson-Mount <email@example.com> wrote:
> > > IMHO it is extremely harsh how the self-signed certs are treated by
> > > OpenLDAP. In the majority of cases this is forcing people (after
> > > many hours of struggling) to use "TLS_REQCERT never" or similar
> > > settings, which ends up being a lot more insecure than it would be
> > > to accept a known self-signed cert... Not to mention that the
> > > syncrepl suboption "tls_reqcert=never" is apparently ignored so
> > > practically I've found that syncrepl is currently inoperable with
> > > any form of encryption. Is there anybody who could tell me what
> > > this is good for?
> > Interestingly, plenty of people have gotten this to work. First, you
> > need to know how to create self-signed certs using a CA. Of course,
> > that's really off-topic for the OpenLDAP list, even though it has
> > been discussed many times. But until you know how to get that
> > working, you won't be able to get the syncrepl client to work, either.
> I'm using certificates I've generated since many years with a lot of
> software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN,
> etc. and all of these are working seamlessly, with the exception of
But, why do you configure openvpn to use a certificate as CA certificate, but
not your OpenLDAP clients ? Or, do you throw away half the value of SSL by
disabling certificate validation on *all* of these services????
> It's not only me who's struggling, just Google around if
> you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP
> suggests that I have to use "TLS_REQCERT never" with self-signed
> certificates or else TLS won't work. And they're right.
IMHO, the Gentoo documentation for LDAP isn't necessarily the greatest.
Neither are most out-of-date HOWTOs (as there is no "WHY NOT TO", or "WHY TO"
part to them).
> To a proper self-signed certificate OpenLDAP simply says "self-signed
> certificate in certificate chain" or something like that and TLS/SSL
> handshake fails with an error.
For a client connection (such as syncrepl), add TLS_CACERT pointing to the
certificate in your ldap.conf. In general (I haven't looked at
the "TLS_REQCERT never" case), if ldapsearch works with the -ZZ flags, then
syncrepl will work.